Nell’iperspazio con Rocket: il Framework Web di Rust!
security and assurance lecture jan 14
1. Securing the Unsecured in Cyber Space
Creating Digital Trust in Cyber Era
Cyber Security Cyber Assurance
The need of Enterprises of Tomorrow
Prof. K. Subramanian
SM(IEEE), SMACM, FIETE, FNTF SMCSI,MAIMA,MAIS,MCFE,MISACA(USA)
EX-Professor & Director, Advanced Center for Informatics & Innovative
Learning (ACIIL), IGNOU
Former IT Adviser to CAG of India
Ex-SR.1DDG(NIC), Min of Communications & Information Technology
Former President, Cyber Society of India
Emeritus President, eISSA
Academic Advocate of ISACA (USA) in India
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
1
2.
Cyberspace is
Dynamic, Undefined
and Exponential
Countries’ need
dynamic laws,
keeping pace with
the technological
advancements
In a Virtual Space,
Netizens Exist,
Citizens Don’t!
Trust in E-environments
Lack of a mature IT
society
Absence of Single
governing body
Legislation
High skill inventory
Reduce fear of being
caught
Disgruntled Employees
15th April 2009
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
2
2
3.
"The poor have sometimes objected to being
governed badly; the rich have always objected to
being governed at all." G. K. Chesterton
“Ever since men began to modify their lives by using
technology they have found themselves in a series of
technological traps.” Roger Revelle
“The law is the last interpretation of the law given by the last
judge.”- Anon.
“Privacy is where technology and the law collide.”
--Richard Smith
(who traced the ‘I Love You’ and ‘Melissa viruses’)
"Technology makes it possible for people to gain
control over everything, except over technology"
John Tudor
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
3
3
4. In the Era of Digital Age
•
•
•
•
•
Can all users be identified (e.g.,
employees, contractors, and business
partners)?
Do IT managers know what users
have access to?
Can all the interactions among users,
assets, and applications be identified?
Do IT managers have verifiable
evidence that controls are working,
and appropriate action takes place
when a policy infraction occurs? Does
this evidence exist in minutes rather
than months?
No one standard meets
requirements—Advise on specific
group standards (medical,
commerce/Trade services— Highend-KBPOS)
Ten Important Imperatives
•
•
•
•
•
•
•
•
•
•
IT & Law
Security & Risk
Business Integration
Value to the Enterprise
Alignment = collaboration
Governance and funding
IT sourcing & ITES
outsourcing
Performance Measures
Growing talent
Beyond customer service
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
4
5. Perfect Security—A Dream
• "Perfect security is
not achievable,".
• "At the end of the
day, [the security
function] is about
managing the
frequency and
magnitude of loss."
• Concerns
PRIVACY
• vs
• SOCIETY
• SAFETY
•
SECURITY
• Trust
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
5
6. “In security matters,
there is nothing like absolute security”
“We are only trying to build comfort levels,
because security costs money and lack of
it costs much more”
“Comfort level is a manifestation of efforts as
well as a realization of its effectiveness &
limitations’
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
6
7. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
7
8. Cyber Threats 2013
Data,
Mobility,
Questions of
Responsibility
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
8
8
9. 15th April 2009
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
9
9
10. eSecurity Technologies
Cryptography & Cryptology
Steganography
Digital Water Marking
Digital Rights Management
Cyber Defence technologies (Firewall,
IDS/IPS, Perimeter and Self-Defence )
Access Control &ID Management (Rule, Role,
Demand Based)
Signatures (Digital/Electronic)
Cyber Forensics & Cyber Audit
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
10
10
11. Cyber Security – A Holistic View
Authentication
Threat Management Encryption
& Early Warning
Antivirus
Honey Pot
& Decoy
Firewall
Technology
Intrusion
Detection
Vulnerability
Assessment
Policy
Compliance
Proactive
Control
Event &
Incident Mgmt
Access Control
& Authorization
Identity
Config.
Attack
Mgmt
Mgmt
Recovery
Common Tools/Svcs
Console
VPN
Content
Updates &
Security
Response
24x7
Global
Customer
Support
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
Source: Symantec Inc
11
13. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
13
14. Government Policy Guidelines
• Policy on :Identity and Access Management: An eGovernance standards initiative to make e-Government
Programs and their services a reality
• Draft Document “e-Governance Information Security
Standard” (Version 01 dated 12th October 2006)--has
proposed additional security controls for E-Governance
purposes Viz., Data security and privacy protection,
Network security, and Application security;
• Draft Document “Base line security requirements &
Selection of controls” (Version 01, 12th October 2 006).
http://egovstandards.gov.in
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
14
15. Strategy-Policy-Good Practice
• “Information Security Policy for Protection Critical
Information Infrastructure” (No. CERTIn/NISAP/01, issued on 1st May 2006) –Recent
Guidelines
• Information & Privacy Protection Policy, apart from IT
ACT & RTI ACTS
• Stopping Spam Before It Stops You – SPAM
Policy to be done
• Privacy/Data Protection Legislation-Underway
"Data disposal, anonymity, trust, privacy management,
and systems development activities are just a few of
the many privacy concerns organizations must
address and need to thoughtfully create a privacy
strategy that is clearly and consistently supported by
the KS@2014 csi chennai Lecture Cyber
1/6/2014 top business leaders." Security-->Cyber Assurance Jan 6,2014
Prof.
15
16. Corporate Governance
Business Assurance Framework
India Initiatives
Global Phenomena
• 1. Clause 49
• Combines Code of • 2. Basel II & III-RBI
UK and SOX of
• 3.SEBI- Corporate
USA
Governance
• Basel II & III
Implementation
directives
• Project
• 4.Risk managementGovernance
RBI & TRAI
• IT Governance
• 5. MCA Initiatives
• Human & Humane • New company Law
Governance
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
16
2013
16
17. Learning From Experience
======================
==
1. The only source of knowledge is experience.
-- Einstein
2. One must learn by doing the thing; for though you think you
know it, you have no certainty, until you try.
-- Sophocles
3. Experience is a hard teacher because she gives the test first,
and the lesson afterwards.
-- Vernon Sanders Law
4. Nothing is a waste of time if you use the experience wisely.
-- Rodin
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
17
18. Known Threat Assessment Approaches
•
Privilege Graph [Dacier et al. 94]
•
•
•
Attack Graph [Philips et al. 98, 01,
02]
•
•
•
Vertices/nodes represent privilege
states
Edges/arcs represent privilege
escalation
Vertices/nodes represent network
states
Edges/arcs represent atomic
exploits
Shortcomings
•
•
•
•
Too many details, very finegrained
Without automation, model
instantiation is cumbersome
Model-checking can help, but
state explosion problem
Insider attacks may succeed
without privilege escalation or
vulnerabilities
Recent Insider Threat Mitigation Tools
• Skybox View
• Sureview from Oakley
Networks
• iGuard from Reconnex
• Content Alarm from
Tablus
• Vontu from Vontu, Inc.
• Rule-based techniques
• Detect policy violations
• Forensics analysis
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
18
19. SEMANTIC ISSUES
CERTIFICATION
What is certification; what does
it denote and mean?
TECHNOLOGICAL ISSUES
How is certification achieved?
How are the prerequisites and
context for certification established?
What are the principal concepts
and elements of certification
What is it you are certifying?
(Object of certification)
What additional concepts and
notions are expressed and
implied by certification?
Certification with respect to what?
(Business for certification)
What is the Intent of the
certification; what is it you are
trying to do in certifying
something?
What relation must exist for
certification?
(Object/basis relation)
ADMINISTRATIVE
ISSUES
What activities/decisions are
prerequisite for certification?
Who does the certification?
Who is the recipient of the
certification?
How and when is certification to
be conducted?
What is the significance of the
certification for the certifier?
What is the significance of the
certification for the recipient?
Why certify?
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
19
20. Security Assurance - Expectations
“To determine how much is too much, so that
we can implement appropriate security
measures to build adequate confidence and
trust”
“To derive a powerful logic for implementing or not
implementing a security measure”
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
20
21. Managing Interdependencies
Critical in Enterprises/Institutions
• Infrastructure characteristics (Organizational,
operational, temporal, spatial)
• Environment (economic, legal /regulatory, technical,
social/political)
• Coupling and response behavior
(adaptive,
inflexible, loose/tight, linear/complex)
• Type of failure (common cause, cascading, escalating)
• Types of interdependencies
(Physical, cyber, logical, geographic)
• State of operations
(normal, stressed /disrupted, repair/restoration )
.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
21
22. Identity Management
• Identity management is not new, but has evolved
from the days of a single password entry onto the
network to a comprehensive set of processes and
systems that make it easier for all users to access
information in real time and in a much more secure
manner
• ID management tend to center on the technical
improvements in system security, the more important
benefits are the opportunities gained by collaborating
with vendors, suppliers, and customers across the
supply chain.
• A real value of an [ID management] solution enables
ultimately this wide range of business enterprise.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
22
23. Biometric System Operates on
•Verification
•Identification
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
23
25. Layered E-trust Framework
Computing E-trust
Services
Shared E-trust
Applications
Trusted Digital Identity
Infrastructure
PKI Technology
Single e-trust
Applications
B2B, B2C, SET, C2C
Infrastructure
Layer 2 Service Provider
Layer 2 Service Provider
example: Identrus
example IDENTRUS
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
25
26. Present Risk Certification Issues
Trust
• Trust cannot be bought or sold. It has to be
created
• Trust is earned and not given away.
• Trusted third party or a trusted CA
raises
- trusted in relationship to whom
- trusted by whom?
- trusted for what?
- trusted for how long?
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
26
27. 9 Rules of Risk Management
•
There is no return without risk
•
•
Be Transparent
•
•
A consistent and rigorous approach will
beat a constantly changing strategy
Use common sense
•
•
Multiple risk will produce more consistent
rewards
Sow Discipline
•
•
Risk should be discussed openly
Diversify
•
•
Question the assumptions you make
Communicate
•
•
Risk is measured, and managed by
people, not mathematical models.
Know what you Don’t know
•
•
Rewards to go to those who take risks.
It is better to be approximately right, than
to be precisely wrong.
Return is only half the question
•
Decisions to be made only by considering
the risk and return of the possibilities.
RiskMetrics Group
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
27
28. • UNIVERSALITY: Each person should have
the characteristics
• Distinctiveness: Any two persons should be
different in terms of the characteristic.
• Permanence: The characteristic should be
sufficiently in-variant (w.r.to the matching
criterion) over a period of time.
• Collectability: The characteristic should be
quantatively measurable.
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
28
28
29. • Uniform Naming convention-absence
• Birth & Death registration-Incomplete
• No social security registration number
• Absence of Identity such as phones,
driving licenses available with every body
• Electoral ID DB- Complete set not there
but at least covers 600-650 m records-not
auditable and verifiable
• Absence of PAN & other ID number for
everybody-Not auditable & verifiable
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
29
30. • By Possession
• Password
• Static
• Dynamic
• By Association
• PIN/TOKEN
• By Card
• By Biometrics
• By Government
• PAN(TAXATION)
• Passport
• Social Security
Number
• Citizenship ID NO.
• Senior Citizen
NUMBER
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
Cognizant Address
23rd June 2005
30
30
31. •
•
•
•
•
•
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Remote Authentication Dial-In User Service (RADIUS)
Lightweight Directory Access Protocol (LDAP)
Microsoft ’s Active Directory
Novell Directory Services (NDS)
• Public Key Infrastructure (PKI)
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
31
32. • Most enterprises have no common, unified
database of user profiles, access rights, and
device identity. This situation has put the
integrity of core infrastructure network
services in jeopardy in the following areas:
• Security.
• Reliability.
• Cost.
• Software Version Control.
• Scalability.
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
32
33.
Internal Competition
from Liberalization
Learn more about own
Businesses.
World Competition from
Globalization
Reach out to all Business &
Function Heads.
Entrenched Competition
Abroad
Sharpen Internal
Consultancy Competences.
Asymmetry in Scale,
Technology, Brands
Proactively Seize the
Repertoire of MS & Partners
Foster two way flow of IS &
Line Talent.
Industry Shakeouts and
Restructuring
15th April 2009
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
33
33
34. Key Areas of Assurance
• Organizational
- Systems in place to identify & mitigate differing risk perceptions of
stakeholders to meet business needs
• Supplier
- Confidence that controls of third party suppliers adequate & meets
organization’s benchmarks
• Business Partners
- Confirmation that security arrangements with partners assess & mitigate
business risk
• Services & IT Systems
- Capability of developers, suppliers of IT services & systems to implement
effective systems to manage risks to the organization’s business
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
34
34
35. Benefits of Assurance
• Contributes to effectiveness & efficiency of business operations
• Ensures reliability & continuity of information systems
• Assists in compliance with laws & regulations
• Assures that organizational risk exposure mitigated
• Confirms that internal information accurate & reliable
• Increases investor and lenders confidence
15th April 2009
15th April 2009
Prof. KS@2009: BMS CII Conference
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
New delhi April14-15, 2009
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
35
35
36. Cyber Assurance Framework
• Insurance-Protection of classified assets
• Audit—Gives comfort level (Internal/External)
• Pre audit
• Concurrent audit
• Post audit
• Assurance-More degree of comfort as it is multilayered.
•
•
•
•
•
•
Management
Operational
Technology/technical
Network
Legal
Impact
37. Standards, Standards, Standards
Technical Vs Management
Security
Audit
Interoperability
Interface
(systems/devises/communications)
Architecture/Building
Blocks/reusable
HCI (Human Computer Interface)
Process (Quality & Work)
Environmental (Physical, Safety,
Security)
Data Interchange & mail messaging
(Information/Data Exchange)
Layout/Imprint
BCM
Technical StandardsSpecifications-mainly
for interoperability,
accessibility and
Interactivity
Management
standards-Auditable &
Verifiable-Certification
& Compliance
15th April 2009
15th April 2009
Prof. KS@2009: BMS CII Conference
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
New delhi April14-15, 2009
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
37
37
38. Importance of Group Standards -no one standard meets all requirements
ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL
Mission
Business Objectives
Business Risks
Applicable Risks
Internal Controls
Review
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
38
41. Legislative Trust &Techno-Legal issues &
Amendment to IT Act or Legislation of New Acts
• Authentication for retrieval
• Authorized access and control
of access
• Security standards for
certification and mandatory
for compliance for Electronic
Achieves
• Information/Data Protection
(Privacy and Piracy)
• Information management and
Continuous preservation in
Electronic Archives
• Information Assurance and
Auditability
Legal/Regulatory
Framework & Attributes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of information
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
41 41
42. “IT Regulations and Policies-Compliance &
Management”
Pre-requisites Physical Infrastructure and Mind-set
• PAST: We have inherited a past, for which we cannot be held
•
responsible ;
PRESENT: have fashioned the present on the basis of
development models, which have undergone many mid-course
corrections
• FUTURE: The path to the future -- a future in which India and
Indians will play a dominant role in world affairs -- is replete with
opportunities and challenges.
In a number of key areas, it is necessary Break from the past in
order to achieve our Vision.
We have within ourselves the capacity to succeed
We have to embrace Integrated Security & Cyber Assurance
Framework
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
42
43. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
43
43
44. CXO~CEO Internal Strategic
Alliances
CIO & CEO
Business Led Info. strategy
CIO & CMO
Competitive Edge & CVP
The Productivity/Performance
Promise
•
•
CIO & CTO
Cost-Benefit Optimization
•
CIO & CFO
Shareholder Value Maximization
•
CIO & CHRO
Employee Performance and Rewards
CIO & Business Partners
Virtual Extended Enterprise
•
•
Capital Productivity
(ROI, EVA, MVA)
Material Productivity
(60% of Cost)
Managerial Productivity
(Information Worker)
Labour Productivity
(Enabled by IW)
Company Productivity
Micro
Factor Productivity
Macro
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
44
45. Towards Information/Business
Assurance
• Increasingly, the goal isn't about information
security but about information/Business
assurance, which deals with issues such as
data/information availability and integrity.
• That means organizations should focus not
only on risk avoidance but also on risk
management. "You have to be able to
evaluate risks and articulate them in business
terms“
--Jane Scott-Norris, CISO at the U.S.
State Department
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
45
46. Comparison of Seals
WEB Certification
Security
of Data
Business
Policies
Transaction
Processing
Integrity
Product
Cost
Privacy
of Data
BBB Online
Low
No
No
Lightly
Covered
No
TRUSTe
Low
Yes
No
No
No
Veri-Sign
Low to
Medium
No
Yes: Data
Transmittal
No: Data Storage
No
No
ICSA
High
Yes
Yes
Somewhat
Covered
Lightly
Covered
WebTrust
High
Yes
Yes
Yes
Yes
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
46
47. Security Governance Maturity Model
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
47
47
48. Cyber Forensics & Cyber Frauds
•
•
•
•
•
•
•
•
Digital forensics
Email forensics
Image forensics
Video Forensics
Storage Forensics
Audio Forensics
Network forensics
Data/Information forensics
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
48
49. Types of Frauds
Conflict of Interest
Nepotism
Gratuities
False Statements
Omissions
Favoritism
False Claims
Forgery
Kickbacks
Misappropriation
Conspiracy
Alterations
Breach of Duty
Bribery
Substitution
Impersonation
Embezzlement
Extortion
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
49
50. Common Red Flags Signaling
Management Fraud
o Management decisions are dominated by an individual
or small group.
o Managers’ accounting attitudes are unduly
aggressive.
o Managers place much emphasis on meeting earnings
projections.
o Management’s business reputation is poor.
o Management has engaged in opinion shopping.
o Managers are evasive responding to auditors’ queries.
o Managers engage in frequent disputes with auditors.
o Managers display significant disrespect for regulatory
bodies.
Prof.
o 1/6/2014 KS@2014 csi chennai Lectureinternal control environment.
Company has a weak Cyber Security-->Cyber Assurance Jan 6,2014 50
51. Common Red Flags Signaling
Management Fraud
o Company accounting personnel are lax or
inexperienced in their duties.
o Company employs inexperienced managers.
o Company is in a period of rapid growth.
o Company profit lags the industry.
o Company has going concern problems (bankruptcy).
o Company is decentralized without adequate
monitoring.
o Company has many difficult accounting measurement
and presentation issues.
o The company may be offered for sale.
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
51
o The company makes acquisitions using its stock.
52. Common Red Flags Signaling Employee
Fraud
o Customer
o Missing
complaints.
documents.
o Adjustments to
o Unusual
receivables and
endorsements on
payables.
checks.
o Increased past due
o Unexplained
receivables.
adjustments to
o Inventory shortages.
inventory
o General ledger does
balances.
not balance.
o Unexplained
adjustments to
accounts
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
52
receivable.
53. Common Red Flags Signaling Employee
Fraud
o Increased scrap.
o Alterations on
documents.
o Duplicate
payments.
o Employees cannot
be found.
o Documents
photocopied
o Dormant accounts
become active.
o Common names or
addresses for
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
53
refunds.
o Old items in bank
reconciliations.
o Old outstanding
checks.
o Unusual patterns
in deposits in
transit.
o Cash shortages
and overages.
o Excessive voids
and credit
memos.
54. “Honest Abraham” Lincoln
After angrily turning
down a bribe, he said,
“Every man has his
price, and he was
getting close to mine.”
Under the right set of
circumstances anyone could
become a fraud perpetrator.
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
54
55. IT Security predictions 2014
1.Pirated software*
Pirated software will drive insecurity in much
more dynamic ways than previously realized.
Users of pirated software are afraid to
download updates, thus are exposed to
security risks because their software is
entirely unpatched. Also, newer versions of
pirated software now come with malware preinstalled. As a result, users of pirated
software will become the new “Typhoid
Marys” of the global computing community.
*IBM's X-Force research team
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
55
56. IT Security Predictions 2013
2.social networks and ups the ante
Social engineering meets social networks and ups the
ante for creative compromises. Criminal
organizations are increasingly sophisticated in how
they attack different social networking sites. For
example, Twitter is being used as a distribution
engine for malware. LinkedIn, however, is being used
for highly targeted attacks against high-value
individuals. We will see these organizations use
these sites in creative new ways in 2010 that will
accelerate compromises and identity theft, especially
as new commercial applications increase the
disclosure of valuable personal information on these
sites.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
56
57. IT Security predictions 2014
3.0 Criminals take to the cloud
Criminals take to the cloud. We have
already seen the emergence of “exploits
as a service.” In 2013 we will see
criminals take to cloud computing to
increase their efficiency and
effectiveness.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
57
58. IT Security predictions 2014
• a rise in attacks on health care
organizations will occur for similar
reasons,
• continued attacks on retailers big and
small, tax authorities,
• school systems - anywhere where lots
of records are kept by organizations that
haven't traditionally had best practice
security in place
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
58
59. Security & Governance - Final Message
“In Governance matters
Past
is no guarantee;
Present is imperfect
&
Future is uncertain“
“Failure is not when we fall down, but when we fail 6,2014 59
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan to get up”
Prof.
60. Let us Secure and Cyber Assure our Enterprises by Good Governance
FOR FURTHER
INFORMATION PLEASE
CONTACT :
E-MAIL:
ksdir@nic.in
ksmanian48@gmail.com
ksmanian1948@gmail.c
om
ksmanian20032004@ya
hoo.com
91-11-22723557
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.
60